hadoop-mapreduce-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Todd Lipcon (JIRA)" <j...@apache.org>
Subject [jira] Created: (MAPREDUCE-2096) Secure local filesystem IO from symlink vulnerabilities
Date Tue, 28 Sep 2010 19:48:33 GMT
Secure local filesystem IO from symlink vulnerabilities
-------------------------------------------------------

                 Key: MAPREDUCE-2096
                 URL: https://issues.apache.org/jira/browse/MAPREDUCE-2096
             Project: Hadoop Map/Reduce
          Issue Type: Bug
          Components: jobtracker, security, tasktracker
    Affects Versions: 0.22.0
            Reporter: Todd Lipcon
            Assignee: Todd Lipcon
            Priority: Blocker


This JIRA is to contribute a patch developed on the private security@ mailing list.

The vulnerability is that MR daemons occasionally open files that are located in a path where
the user has write access. A malicious user may place a symlink in place of the expected file
in order to cause the daemon to instead read another file on the system -- one which the attacker
may not naturally be able to access. This includes delegation tokens belong to other users,
log files, keytabs, etc.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message